Microsoft Office 365 ProPlus Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Outlook must be configured to prevent users overriding attachment security settings.
<VulnDiscussion>This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy sett...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
Internet must not be included in Safe Zone for picture download in Outlook.
<VulnDiscussion>This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Inte...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
The Publish to Global Address List (GAL) button must be disabled in Outlook.
<VulnDiscussion>This policy setting controls whether Outlook users can publish e-mail certificates to the Global Address List (GAL). If you...Rule Medium Severity -
SRG-APP-000630
<GroupDescription></GroupDescription>Group -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
The minimum encryption key length in Outlook must be at least 168.
<VulnDiscussion>This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy sett...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
The warning about invalid digital signatures must be enabled to warn Outlook users.
<VulnDiscussion>This policy setting controls how Outlook warns users about messages with invalid digital signatures. If you enable this poli...Rule Medium Severity -
SRG-APP-000605
<GroupDescription></GroupDescription>Group -
Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.
<VulnDiscussion>This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates. Certi...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
The Outlook Security Mode must be enabled to always use the Outlook Security Group Policy.
<VulnDiscussion>This policy setting controls which set of security settings are enforced in Outlook. If you enable this policy setting, you c...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
The ability to demote attachments from Level 2 to Level 1 must be disabled.
<VulnDiscussion>This policy setting controls whether Outlook users can demote attachments to Level 2 by using a registry key, which will allo...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
The display of Level 1 attachments must be disabled in Outlook.
<VulnDiscussion>This policy setting controls whether Outlook blocks potentially dangerous attachments designated Level 1. Outlook uses two le...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
Level 1 file attachments must be blocked from being delivered.
<VulnDiscussion>This policy setting controls whether Outlook users can demote attachments to Level 2 by using a registry key, which will allo...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
Level 2 file attachments must be blocked from being delivered.
<VulnDiscussion>This policy setting controls which types of attachments (determined by file extension) must be saved to disk before users can...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
SRG-APP-000488
<GroupDescription></GroupDescription>Group -
When a custom action is executed that uses the Outlook object model, Outlook must automatically deny it.
<VulnDiscussion>This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality...Rule Medium Severity -
SRG-APP-000488
<GroupDescription></GroupDescription>Group -
When an untrusted program attempts to programmatically access an Address Book using the Outlook object model, Outlook must automatically deny it.
<VulnDiscussion>This policy setting controls what happens when an untrusted program attempts to gain access to an Address Book using the Outl...Rule Medium Severity -
SRG-APP-000488
<GroupDescription></GroupDescription>Group -
When a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field, Outlook must automatically deny it.
<VulnDiscussion>This policy setting controls what happens when a user designs a custom form in Outlook and attempts to bind an Address Inform...Rule Medium Severity -
SRG-APP-000488
<GroupDescription></GroupDescription>Group -
When an untrusted program attempts to use the Save As command to programmatically save an item, Outlook must automatically deny it.
<VulnDiscussion>This policy setting controls what happens when an untrusted program attempts to use the Save As command to programmatically s...Rule Medium Severity -
When an untrusted program attempts to gain access to a recipient field, such as the, To: field, using the Outlook object model, Outlook must automatically deny it.
<VulnDiscussion>This policy setting controls what happens when an untrusted program attempts to gain access to a recipient field, such as the...Rule Medium Severity -
SRG-APP-000488
<GroupDescription></GroupDescription>Group -
When an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request, Outlook must automatically deny it.
<VulnDiscussion>This policy setting controls what happens when an untrusted program attempts to programmatically send e-mail in Outlook using...Rule Medium Severity -
SRG-APP-000488
<GroupDescription></GroupDescription>Group -
When an untrusted program attempts to send e-mail programmatically using the Outlook object model, Outlook must automatically deny it.
<VulnDiscussion>This policy setting controls what happens when an untrusted program attempts to send e-mail programmatically using the Outloo...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
Outlook must be configured to not allow hyperlinks in suspected phishing messages.
<VulnDiscussion>This policy setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook are allowed. If you enable t...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
The Security Level for macros in Outlook must be configured to Warn for signed and disable unsigned.
<VulnDiscussion>This policy setting controls the security level for macros in Outlook. If you enable this policy setting, you can choose fr...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
Trusted Locations on the network must be disabled in Project.
<VulnDiscussion>This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users ...Rule Medium Severity -
SRG-APP-000131
<GroupDescription></GroupDescription>Group -
Project must automatically disable unsigned add-ins without informing users.
<VulnDiscussion>This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are lo...Rule Medium Severity -
SRG-APP-000141
<GroupDescription></GroupDescription>Group -
VBA Macros not digitally signed must be blocked in Project.
<VulnDiscussion>This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are pr...Rule Medium Severity -
SRG-APP-000141
<GroupDescription></GroupDescription>Group -
VBA Macros not digitally signed must be blocked in PowerPoint.
<VulnDiscussion>This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are pr...Rule Medium Severity -
Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in files must be blocked.
<VulnDiscussion>This policy setting allows you to determine whether users can open, view, edit, or save PowerPoint files with the format spec...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.